CVE-2023-30570Uncontrolled Resource Consumption in Libreswan

CWE-400Uncontrolled Resource Consumption12 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 59.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
LibreswanDebian LibreswanRedhat Enterprise Linux+6 more
Timeline
PublishedMay 29

Description

pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

debiandebian/libreswan< libreswan 4.10-2+deb12u1 (bookworm)
Debianlibreswan/libreswan< 4.3-1+deb11u4+3
NVDlibreswan/libreswan3.284.10+2
CVEListV5libreswan/libreswanAffects libreswan v4.9-1.el8 and libreswan v4.9-1.el9, Fixed in libreswan v4.9-3.el8_8 and libreswan v4.9-4.el9_2

Also affects: Enterprise Linux 8.0, 9.0, 8.8, 9.2

🔴Vulnerability Details

6
OSV
CVE-2023-30570: pluto in Libreswan before 42023-05-29
GHSA
GHSA-4h3c-85v5-c6x6: pluto in Libreswan before 42023-05-29
CVEList
CVE-2023-30570: pluto in Libreswan before 42023-05-28
GHSA
GHSA-gcrh-c42h-m2vw: A vulnerability was found in the libreswan library2023-05-18
OSV
CVE-2023-2295: A vulnerability was found in the libreswan library2023-05-17

📋Vendor Advisories

4
Microsoft
pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28.2023-05-09
Red Hat
libreswan: Regression of CVE-2023-30570 fixes in the Red Hat Enterprise Linux2023-05-09
Red Hat
libreswan: Malicious IKEv1 Aggressive Mode packets can crash libreswan2023-05-03
Debian
CVE-2023-30570: libreswan - pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishand...2023